DOCSLIB.ORG

Sound Gradual Typing Is Nominally Alive and Well

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Sound Gradual Typing Is Nominally Alive and Well Sound Gradual Typing is Nominally Alive and Well FABIAN MUEHLBOECK, Cornell University, USA ROSS TATE, Cornell University, USA Recent research has identified significant performance hurdles that sound gradual typing needs to overcome. These performance hurdles stem from the fact that the run-time checks gradual type systems insert into code can cause significant overhead. We propose that designing a type system for a gradually typed language hand in hand with its implementation from scratch is a possible way around these and several other hurdles on the way to efficient sound gradual typing. Such a design process also highlights the type-system restrictions required for efficient composition with gradual typing. We formalize the core of a nominal object-oriented language that fulfills a variety of desirable properties for gradually typed languages, and present evidence that an implementation of this language suffers minimal overhead even in adversarial benchmarks identified in earlier work. CCS Concepts: · General and reference → Performance; · Software and its engineering → Formal language definitions; Runtime environments; Object oriented languages; Additional Key Words and Phrases: Gradual Typing, Nominal, Immediate Accountability, Transparency ACM Reference Format: Fabian Muehlboeck and Ross Tate. 2017. Sound Gradual Typing is Nominally Alive and Well. Proc. ACM Program. Lang. 1, OOPSLA, Article 56 (October 2017), 30 pages. https://doi.org/10.1145/3133880 1 INTRODUCTION Sound gradual typing is the idea that typed and untyped code can be mixed together in a single language in such a way that the typed code is able to execute as if there were no untyped code. This means that typed code can rely on type soundness to enable type-driven optimizations. The basic intuition of how to achieve sound gradual typing is relatively simple: we must protect the guarantees obtained through static type-checking by inserting run-time checks at locations in the code where values flow from untyped components to typed components. If a value from untyped code fails to have its expected type at run time, an exception is thrown. Thus, the statically checked components of the program can assume all values passed to them are well-typed. Painted this way, the picture leads us to expect that gradual typing may incur some overhead for those inserted checks, proportional to the number of times we transition from untyped to typed parts of the program. In the optimal scenario, these checks are infrequent and efficient, and thus the overall cost of gradual typing is low and can be easily estimated and planned for by analyzing the level of interaction between typed and untyped parts of the program. Furthermore, typed code can be optimized in ways untyped code cannot, so one would expect performance to smoothly improve as types are added to a code base. However, we are not aware of any existing proposal for a sound gradually typed language which has such performance behavior and reasonable performance for Authors’ addresses: Fabian Muehlboeck, Cornell University, Ithaca, NY, 14850, USA, [email protected]; Ross Tate, Cornell University, Ithaca, NY, 14850, USA, [email protected]. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice andthe full citation on the first page. Copyrights for components of this work owned by others than the author(s) must behonored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. © 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery. 2475-1421/2017/10-ART56 https://doi.org/10.1145/3133880 Proc. ACM Program. Lang., Vol. 1, No. OOPSLA, Article 56. Publication date: October 2017. 56 56:2 Fabian Muehlboeck and Ross Tate fully untyped code. In fact, Takikawa et al. [2016] measured extreme and unpredictable dips in performance for programs consisting of both typed and untyped code. These measurements were made on their current proposal for sound gradual typing for Racket [Tobin-Hochstadt and Felleisen 2006], but they argue that no other system provides convincing reasons for why it should perform significantly better. In this paper, we present a way to achieve efficient sound gradual typing. The core component of this approach is a nominal type system with run-time type information, which lets us verify assumptions about many large data structures with a single, quick check. The downside of this approach is that it limits expressivity, particularly with respect to structural data. Nonetheless, we argue that one should be able to build useful programming languages even under these limitations, and we sketch ideas about how to address the limitations in the future. Furthermore, by designing this system hand-in-hand with gradual typing, we are able to execute even untyped code efficiently despite our reliance on nominal typing. To support our claims about efficiency, we built a prototype compiler for a nominal object- oriented language and used it to implement key examples presented by Takikawa et al. Given that this involves a major shift in programming paradigms, we engineered the examples to exhibit the same complexity in terms of transitions between untyped and typed code as they did in Racket. Whereas Takikawa et al. measured overheads over 10,000% relative to the performance of fully untyped code, we measured worst-case overheads of less than 10%. In summary, the contributions of this paper are as follows: • We present new desirable properties of sound gradual type systems that we believe signifi- cantly improve their performance (Section 3). • We present a simple gradually typed nominal object-oriented language (Section 5 through 7) that fulfills the properties traditionally desired of gradual type systems in addition toour own new properties (Section 8). We also give a crisp connection between the direct semantics of the language (Section 6) and the cast semantics of the language (Section 7). • We provide evidence of our approach’s feasibility and efficiency by presenting an implemen- tation of said language and comparing benchmarks between it, Typed Racket [Takikawa et al. 2016], C# [Bierman et al. 2010], and Reticulated Python [Vitousek et al. 2014] (Section 9). • We illustrate the significant tradeoffs and future challenges of our approach and sketch possible avenues for addressing its current limitations in the future (Section 10). This work draws heavily from earlier work on gradual typing, which we review next. 2 BACKGROUND Gradual typing, as originally proposed by Siek and Taha [2006], features two core elements: a special type dyn and a consistency relation τ ∼ τ ′ expressing that τ and τ ′ are structurally equal except for places featuring dyn. For example, the following types are consistent: dyn ∼ (dyn → dyn) ∼ (int → dyn) ∼ (int → bool) A program in their gradually typed language type-checks according to the original typing rules, but with type equality replaced with the consistency relation in many places. This enables dyn to stand for any type while also maintaining the familiar static typing rules where dyn is not present. The gradually typed program is then translated into a variant of the original statically typed language by inserting dynamic casts where run-time checks are necessary to monitor the boundary between untyped and typed code. Here is how this works for an example program: f : dyn → dyn ⊢ (λf ′ : int → int. f ′ 5) f Proc. ACM Program. Lang., Vol. 1, No. OOPSLA, Article 56. Publication date: October 2017. Sound Gradual Typing is Nominally Alive and Well 56:3 The lambda term expects a parameter of type int → int, but it is applied to an argument of type dyn → dyn. Despite this difference in types, the program type-checks because these two types are considered to be consistent with each other. This gradually typed program is then translated to a statically typed program by inserting run-time casts, resulting in f : dyn → dyn ⊢ (λf ′ : int → int. f ′ 5)(f :: int → int) Here e :: τ represents a run-time check that e has type τ , conceptually throwing a run-time exception if it does not. 2.1 Casting Strategies In most gradual typing settings, casts are the only source of run-time overhead incurred by gradual typing. Thus, where casts are inserted and how they work has a big impact on the performance of a gradually typed program. Before we suggest our own variation on casts in Section 3, we give an overview of existing casting strategies that have been studied as such. 2.1.1 Guarded. Most work on sound gradual typingÐincluding the original works by Siek and Taha [2006], Tobin-Hochstadt and Felleisen [2006], Matthews and Findler [2007], and Gronski et al. [2006]Ðuses the guarded cast semantics. In those systems, a cast like the one above reduces as follows: f :: int → int 7→ λx : int. (f (x :: dyn)) :: int Instead of checking whether the function f always returns an int when given an int, which is generally impossible, it is wrapped in a new function that upcasts its input to dynÐwhich always worksÐand, after the call to f completes, checks that its output is an int. Wadler and Findler [2009], and later Ahmed et al. [2011], showed that this is sound even if it is later discovered that f does not always return an int when given an int. However, instead of having one check at the point where the function is passed to the typed part of the program, this strategy will incur checks every time the function is called, which can cause signficant overhead if that function is heavily used.
Load more

Recommended publications
  • Lackwit: a Program Understanding Tool Based on Type Inference
    Lackwit: A Program Understanding Tool Based on Type Inference Robert O’Callahan Daniel Jackson School of Computer Science School of Computer Science Carnegie Mellon University Carnegie Mellon University 5000 Forbes Avenue 5000 Forbes Avenue Pittsburgh, PA 15213 USA Pittsburgh, PA 15213 USA +1 412 268 5728 +1 412 268 5143 [email protected] [email protected] same, there is an abstraction violation. Less obviously, the ABSTRACT value of a variable is never used if the program places no By determining, statically, where the structure of a constraints on its representation. Furthermore, program requires sets of variables to share a common communication induces representation constraints: a representation, we can identify abstract data types, detect necessary condition for a value defined at one site to be abstraction violations, find unused variables, functions, used at another is that the two values must have the same and fields of data structures, detect simple errors in representation1. operations on abstract datatypes, and locate sites of possible references to a value. We compute representation By extending the notion of representation we can encode sharing with type inference, using types to encode other kinds of useful information. We shall see, for representations. The method is efficient, fully automatic, example, how a refinement of the treatment of pointers and smoothly integrates pointer aliasing and higher-order allows reads and writes to be distinguished, and storage functions. We show how we used a prototype tool to leaks to be exposed. answer a user’s questions about a 17,000 line program We show how to generate and solve representation written in C.
    [Show full text]
  • Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder
    Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with Manish Vachharajani Overview • Motivation • Background • Gradual Typing • Unification-based inference • Exploring the Solution Space • Type system (specification) • Inference algorithm (implementation) Why Gradual Typing? • Static and dynamic type systems have complimentary strengths. • Static typing provides full-coverage error checking, efficient execution, and machine-checked documentation. • Dynamic typing enables rapid development and fast adaption to changing requirements. • Why not have both in the same language? Java Python Goals for gradual typing Treat programs without type annotations as • dynamically typed. Programmers may incrementally add type • annotations to gradually increase static checking. Annotate all parameters and the type system • catches all type errors. 4 Goals for gradual typing Treat programs without type annotations as • dynamically typed. Programmers may incrementally add type • annotations to gradually increase static checking. Annotate all parameters and the type system • catches all type errors. dynamic static 4 Goals for gradual typing Treat programs without type annotations as • dynamically typed. Programmers may incrementally add type • annotations to gradually increase static checking. Annotate all parameters and the type system • catches all type errors. dynamic gradual static 4 The Gradual Type System • Classify dynamically typed expressions with the type ‘?’ • Allow implicit coercions to ? and from ? with any other type • Extend coercions to compound types using a new consistency relation 5 Coercions to and from ‘?’ (λa:int. (λx. x + 1) a) 1 Parameters with no type annotation are given the dynamic type ‘?’. 6 Coercions to and from ‘?’ ? (λa:int. (λx. x + 1) a) 1 Parameters with no type annotation are given the dynamic type ‘?’.
    [Show full text]
  • Principal Type Schemes for Gradual Programs with Updates and Corrections Since Publication (Latest: May 16, 2017)
    Principal Type Schemes for Gradual Programs With updates and corrections since publication (Latest: May 16, 2017) Ronald Garcia ∗ Matteo Cimini y Software Practices Lab Indiana University Department of Computer Science [email protected] University of British Columbia [email protected] Abstract to Siek and Taha (2006) has been used to integrate dynamic checks Gradual typing is a discipline for integrating dynamic checking into into a variety of type structures, including object-oriented (Siek a static type system. Since its introduction in functional languages, and Taha 2007), substructural (Wolff et al. 2011), and ownership it has been adapted to a variety of type systems, including object- types (Sergey and Clarke 2012). The key technical pillars of grad- oriented, security, and substructural. This work studies its applica- ual typing are the unknown type, ?, the consistency relation among tion to implicitly typed languages based on type inference. Siek gradual types, and support for the entire spectrum between purely and Vachharajani designed a gradual type inference system and dynamic and purely static checking. A gradual type checker rejects algorithm that infers gradual types but still rejects ill-typed static type inconsistencies in programs, accepts statically safe code, and programs. However, the type system requires local reasoning about instruments code that could plausibly be safe with runtime checks. type substitutions, an imperative inference algorithm, and a subtle This paper applies the gradual typing approach to implicitly correctness statement. typed languages, like Standard ML, OCaml, and Haskell, where This paper introduces a new approach to gradual type inference, a type inference (a.k.a. type reconstruction) procedure is integral to type checking.
    [Show full text]
  • Scala−−, a Type Inferred Language Project Report
    Scala−−, a type inferred language Project Report Da Liu [email protected] Contents 1 Background 2 2 Introduction 2 3 Type Inference 2 4 Language Prototype Features 3 5 Project Design 4 6 Implementation 4 6.1 Benchmarkingresults . 4 7 Discussion 9 7.1 About scalac ....................... 9 8 Lessons learned 10 9 Language Specifications 10 9.1 Introdution ......................... 10 9.2 Lexicalsyntax........................ 10 9.2.1 Identifiers ...................... 10 9.2.2 Keywords ...................... 10 9.2.3 Literals ....................... 11 9.2.4 Punctions ...................... 12 9.2.5 Commentsandwhitespace. 12 9.2.6 Operations ..................... 12 9.3 Syntax............................ 12 9.3.1 Programstructure . 12 9.3.2 Expressions ..................... 14 9.3.3 Statements ..................... 14 9.3.4 Blocksandcontrolflow . 14 9.4 Scopingrules ........................ 16 9.5 Standardlibraryandcollections. 16 9.5.1 println,mapandfilter . 16 9.5.2 Array ........................ 16 9.5.3 List ......................... 17 9.6 Codeexample........................ 17 9.6.1 HelloWorld..................... 17 9.6.2 QuickSort...................... 17 1 of 34 10 Reference 18 10.1Typeinference ....................... 18 10.2 Scalaprogramminglanguage . 18 10.3 Scala programming language development . 18 10.4 CompileScalatoLLVM . 18 10.5Benchmarking. .. .. .. .. .. .. .. .. .. .. 18 11 Source code listing 19 1 Background Scala is becoming drawing attentions in daily production among var- ious industries. Being as a general purpose programming language, it is influenced by many ancestors including, Erlang, Haskell, Java, Lisp, OCaml, Scheme, and Smalltalk. Scala has many attractive features, such as cross-platform taking advantage of JVM; as well as with higher level abstraction agnostic to the developer providing immutability with persistent data structures, pattern matching, type inference, higher or- der functions, lazy evaluation and many other functional programming features.
    [Show full text]
  • First Steps in Scala Typing Static Typing Dynamic and Static Typing
    CS206 First steps in Scala CS206 Typing Like Python, Scala has an interactive mode, where you can try What is the biggest difference between Python and Scala? out things or just compute something interactively. Python is dynamically typed, Scala is statically typed. Welcome to Scala version 2.8.1.final. In Python and in Scala, every piece of data is an object. Every scala> println("Hello World") object has a type. The type of an object determines what you Hello World can do with the object. Dynamic typing means that a variable can contain objects of scala> println("This is fun") different types: This is fun # This is Python The + means different things. To write a Scala script, create a file with name, say, test.scala, def test(a, b): and run it by saying scala test.scala. print a + b In the first homework you will see how to compile large test(3, 15) programs (so that they start faster). test("Hello", "World") CS206 Static typing CS206 Dynamic and static typing Static typing means that every variable has a known type. Dynamic typing: Flexible, concise (no need to write down types all the time), useful for quickly writing short programs. If you use the wrong type of object in an expression, the compiler will immediately tell you (so you get a compilation Static typing: Type errors found during compilation. More error instead of a runtime error). robust and trustworthy code. Compiler can generate more efficient code since the actual operation is known during scala> varm : Int = 17 compilation. m: Int = 17 Java, C, C++, and Scala are all statically typed languages.
    [Show full text]
  • Typescript Language Specification
    TypeScript Language Specification Version 1.8 January, 2016 Microsoft is making this Specification available under the Open Web Foundation Final Specification Agreement Version 1.0 ("OWF 1.0") as of October 1, 2012. The OWF 1.0 is available at http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0. TypeScript is a trademark of Microsoft Corporation. Table of Contents 1 Introduction ................................................................................................................................................................................... 1 1.1 Ambient Declarations ..................................................................................................................................................... 3 1.2 Function Types .................................................................................................................................................................. 3 1.3 Object Types ...................................................................................................................................................................... 4 1.4 Structural Subtyping ....................................................................................................................................................... 6 1.5 Contextual Typing ............................................................................................................................................................ 7 1.6 Classes .................................................................................................................................................................................
    [Show full text]
  • Typescript-Handbook.Pdf
    This copy of the TypeScript handbook was created on Monday, September 27, 2021 against commit 519269 with TypeScript 4.4. Table of Contents The TypeScript Handbook Your first step to learn TypeScript The Basics Step one in learning TypeScript: The basic types. Everyday Types The language primitives. Understand how TypeScript uses JavaScript knowledge Narrowing to reduce the amount of type syntax in your projects. More on Functions Learn about how Functions work in TypeScript. How TypeScript describes the shapes of JavaScript Object Types objects. An overview of the ways in which you can create more Creating Types from Types types from existing types. Generics Types which take parameters Keyof Type Operator Using the keyof operator in type contexts. Typeof Type Operator Using the typeof operator in type contexts. Indexed Access Types Using Type['a'] syntax to access a subset of a type. Create types which act like if statements in the type Conditional Types system. Mapped Types Generating types by re-using an existing type. Generating mapping types which change properties via Template Literal Types template literal strings. Classes How classes work in TypeScript How JavaScript handles communicating across file Modules boundaries. The TypeScript Handbook About this Handbook Over 20 years after its introduction to the programming community, JavaScript is now one of the most widespread cross-platform languages ever created. Starting as a small scripting language for adding trivial interactivity to webpages, JavaScript has grown to be a language of choice for both frontend and backend applications of every size. While the size, scope, and complexity of programs written in JavaScript has grown exponentially, the ability of the JavaScript language to express the relationships between different units of code has not.
    [Show full text]
  • Certifying Ocaml Type Inference (And Other Type Systems)
    Certifying OCaml type inference (and other type systems) Jacques Garrigue Nagoya University http://www.math.nagoya-u.ac.jp/~garrigue/papers/ Jacques Garrigue | Certifying OCaml type inference 1 What's in OCaml's type system { Core ML with relaxed value restriction { Recursive types { Polymorphic objects and variants { Structural subtyping (with variance annotations) { Modules and applicative functors { Private types: private datatypes, rows and abbreviations { Recursive modules . Jacques Garrigue | Certifying OCaml type inference 2 The trouble and the solution(?) { While most features were proved on paper, there is no overall specification for the whole type system { For efficiency reasons the implementation is far from the the theory, making proving it very hard { Actually, until 2008 there were many bug reports A radical solution: a certified reference implementation { The current implementation is not a good basis for certification { One can check the expected behaviour with a (partial) reference implementation { Relate explicitly the implementation and the theory, by developing it in Coq Jacques Garrigue | Certifying OCaml type inference 3 What I have be proving in Coq 1 Over the last 2 =2 years (on and off) { Built a certified ML interpreter including structural polymorphism { Proved type soundness and adequacy of evaluation { Proved soundness and completeness (principality) of type inference { Can handle recursive polymorphic object and variant types { Both the type checker and interpreter can be extracted to OCaml and run { Type soundness was based on \Engineering formal metatheory" Jacques Garrigue | Certifying OCaml type inference 4 Related works About core ML, there are already several proofs { Type soundness was proved many times, and is included in "Engineering formal metatheory" [2008] { For type inference, both Dubois et al.
    [Show full text]
  • Gradual Typing for a More Pure Javascript
    ! Gradual Typing for a More Pure JavaScript Bachelor’s Thesis in Computer Science and Engineering JAKOB ERLANDSSON ERIK NYGREN OSKAR VIGREN ANTON WESTBERG Department of Computer Science and Engineering CHALMERS TEKNISKA HÖGSKOLA GÖTEBORGS UNIVERSITET Göteborg, Sverige 2019 Abstract Dynamically typed languages have surged in popularity in recent years, owing to their flexibility and ease of use. However, for projects of a certain size dynamic typing can cause problems of maintainability as refactoring becomes increas- ingly difficult. One proposed solution is the use of gradual type systems, where static type annotations are optional. This results in providing the best of both worlds. The purpose of this project is to create a gradual type system on top of JavaScript. Another goal is to explore the possibility of making guarantees about function purity and immutability using the type system. The types and their relations are defined and a basic type checker is implemented to confirm the ideas. Extending type systems to be aware of side effects makes it easier to write safer software. It is concluded that all of this is possible and reasonable to do in JavaScript. Sammanfattning Dynamiskt typade programmeringsspråk har ökat kraftigt i popularitet de se- naste åren tack vare deras flexibilitet och användbarhet. För projekt av en viss storlek kan dock dynamisk typning skapa underhållsproblem då omstrukture- ring av kod blir allt svårare. En föreslagen lösning är användande av så kallad gradvis typning där statiskt typad annotering är frivillig, vilket i teorin fångar det bästa av två världar. Syftet med det här projektet är att skapa ett gradvist typsystem ovanpå Javascript.
    [Show full text]
  • Comparative Studies of Programming Languages; Course Lecture Notes
    Comparative Studies of Programming Languages, COMP6411 Lecture Notes, Revision 1.9 Joey Paquet Serguei A. Mokhov (Eds.) August 5, 2010 arXiv:1007.2123v6 [cs.PL] 4 Aug 2010 2 Preface Lecture notes for the Comparative Studies of Programming Languages course, COMP6411, taught at the Department of Computer Science and Software Engineering, Faculty of Engineering and Computer Science, Concordia University, Montreal, QC, Canada. These notes include a compiled book of primarily related articles from the Wikipedia, the Free Encyclopedia [24], as well as Comparative Programming Languages book [7] and other resources, including our own. The original notes were compiled by Dr. Paquet [14] 3 4 Contents 1 Brief History and Genealogy of Programming Languages 7 1.1 Introduction . 7 1.1.1 Subreferences . 7 1.2 History . 7 1.2.1 Pre-computer era . 7 1.2.2 Subreferences . 8 1.2.3 Early computer era . 8 1.2.4 Subreferences . 8 1.2.5 Modern/Structured programming languages . 9 1.3 References . 19 2 Programming Paradigms 21 2.1 Introduction . 21 2.2 History . 21 2.2.1 Low-level: binary, assembly . 21 2.2.2 Procedural programming . 22 2.2.3 Object-oriented programming . 23 2.2.4 Declarative programming . 27 3 Program Evaluation 33 3.1 Program analysis and translation phases . 33 3.1.1 Front end . 33 3.1.2 Back end . 34 3.2 Compilation vs. interpretation . 34 3.2.1 Compilation . 34 3.2.2 Interpretation . 36 3.2.3 Subreferences . 37 3.3 Type System . 38 3.3.1 Type checking . 38 3.4 Memory management .
    [Show full text]
  • Cross-Platform Language Design
    Cross-Platform Language Design THIS IS A TEMPORARY TITLE PAGE It will be replaced for the final print by a version provided by the service academique. Thèse n. 1234 2011 présentée le 11 Juin 2018 à la Faculté Informatique et Communications Laboratoire de Méthodes de Programmation 1 programme doctoral en Informatique et Communications École Polytechnique Fédérale de Lausanne pour l’obtention du grade de Docteur ès Sciences par Sébastien Doeraene acceptée sur proposition du jury: Prof James Larus, président du jury Prof Martin Odersky, directeur de thèse Prof Edouard Bugnion, rapporteur Dr Andreas Rossberg, rapporteur Prof Peter Van Roy, rapporteur Lausanne, EPFL, 2018 It is better to repent a sin than regret the loss of a pleasure. — Oscar Wilde Acknowledgments Although there is only one name written in a large font on the front page, there are many people without which this thesis would never have happened, or would not have been quite the same. Five years is a long time, during which I had the privilege to work, discuss, sing, learn and have fun with many people. I am afraid to make a list, for I am sure I will forget some. Nevertheless, I will try my best. First, I would like to thank my advisor, Martin Odersky, for giving me the opportunity to fulfill a dream, that of being part of the design and development team of my favorite programming language. Many thanks for letting me explore the design of Scala.js in my own way, while at the same time always being there when I needed him.
    [Show full text]
  • Reconciling Noninterference and Gradual Typing
    Reconciling noninterference and gradual typing Arthur Azevedo de Amorim Matt Fredrikson Limin Jia Carnegie Mellon University Carnegie Mellon University Carnegie Mellon University Abstract let f x = One of the standard correctness criteria for gradual typing is let b (* : Bool<S> *) = true in the dynamic gradual guarantee, which ensures that loosening let y = ref b in type annotations in a program does not affect its behavior in let z = ref b in arbitrary ways. Though natural, prior work has pointed out if x then y := false else (); that the guarantee does not hold of any gradual type system if !y then z := false else (); !z for information-flow control. Toro et al.’s GSLRef language, for example, had to abandon it to validate noninterference. We show that we can solve this conflict by avoiding a fea- f (<S>true) ture of prior proposals: type-guided classification, or the use of type ascription to classify data. Gradual languages require Figure 1. Prototypical failure of the DGG due to NSU checks. run-time secrecy labels to enforce security dynamically; if The program throws an error when run, but successfully type ascription merely checks these labels without modifying terminates if we uncomment the type annotation Bool<S>. them (that is, without classifying data), it cannot violate the dynamic gradual guarantee. We demonstrate this idea with GLIO, a gradual type system based on the LIO library that Sadly, the guarantee does not hold in any existing gradual enforces both the gradual guarantee and noninterference, language for information-flow control (IFC) [33]. featuring higher-order functions, general references, coarse- The goal of this paper is to remedy the situation for IFC lan- grained information-flow control, security subtyping and guages without giving up on noninterference.
    [Show full text]